I recently had reason to suspect that there were a number of MPRs which had become corrupted in a lab environment due to the deletion of set objects.

FIM 2010 doesn’t complain when you delete a set, but it will leave any associated MPRs in an invalid state. Obviously this is not desirable, and you wouldn’t intentionally be doing this. However, it is possible that someone who doesn’t know any better could make this mistake, and if they have, how would you know?

I decided I’d write a couple of xpath queries which could probably be useful as MPR search scopes – they identified a number of faulty MPRs, and they may be worth running on your own environments now for that extra peace of mind!

Rights-granting policy where the PRINCIPAL set reference is missing

/ManagementPolicyRule[not(PrincipalSet=/*) and GrantRight=true and not(starts-with(PrincipalRelativeToResource,'%'))]

Non-rights-granting policy where the FINAL set reference is missing

/ManagementPolicyRule[not(ResourceFinalSet=/*) and not(GrantRight=true) and not(starts-with(PrincipalRelativeToResource,'%')) and not(starts-with(ActionType,'Transition'))]

Transition IN policy where the FINAL set reference is missing

/ManagementPolicyRule[not(ResourceFinalSet=/*) and not(GrantRight=true) and not(starts-with(PrincipalRelativeToResource,'%')) and (starts-with(ActionType,'TransitionIn'))]

Transition OUT policy where the CURRENT set reference is missing

/ManagementPolicyRule[not(ResourceCurrentSet=/*) and not(GrantRight=true) and not(starts-with(PrincipalRelativeToResource,'%')) and (starts-with(ActionType,'TransitionOut'))]

Note that the above queries are not likely to be a definitive set, and I’d be keen to add to them over time. They also are written on the premise that MPRs which are rights-granting do not invoke any action workflows (a “best practice” I stick to religiously).

Hope this sparks some other ideas on FIM policy integrity checks. Let me know if you come up with any others, or variations on the above.